H3-2023-0009¶

Kerberos Unconstrained Delegation

Description¶

An Active Directory Principal (e.g. a User, Machine, or Service Account) can impersonate any unprotected domain principal when connecting to ANY service.

Impact¶

If an attacker obtains authentication material for the principal with Unconstrained Delegation privileges, the attacker could impersonate a domain administrator on any AD joined device, including Domain Controllers -- leading to domain compromise.

References¶

• Microsoft - Security assessment: Insecure Kerberos delegation
• Microsoft - Configuring Kerberos delegation for group Managed Service Accounts
• SpecterOps Blog - Another Word on Delegation